Verify an SD-JWT VC presentation
A wallet hands your service a presentation: the issuer-signed SD-JWT, the
disclosures the holder chose to reveal, and a Key Binding JWT proving the holder
controls the credential. k2gl/sd-jwt-vc verifies all
three.
Install
composer require k2gl/sd-jwt-vc
Verify
use K2gl\Dsse\PublicKey;
use K2gl\SdJwt\KeyBinding;
use K2gl\SdJwtVc\SdJwtVcVerifier;
$verified = new SdJwtVcVerifier()->verifyPresentation(
$presentation, // the compact ~-separated string
PublicKey::fromJwk($issuerJwk), // the issuer's public key
KeyBinding::required(
audience: 'https://verifier.example.com',
nonce: $nonceYouIssued,
maxAgeSeconds: 300,
),
);
$verified->vct(); // the credential type
$verified->claims(); // only the claims the holder disclosed
The verifier recomputes every disclosure digest against the signed payload — a disclosure the issuer never committed to is rejected, not silently accepted. Key binding ties the presentation to your audience and nonce, so a credential lifted from another verifier replays nowhere.
Beyond a pinned key, issuer keys can come from x5c certificate chains or the
issuer’s /.well-known metadata — see the package page.
Poke at one first
Generate a demo credential with the SD-JWT generator, then take it apart in the debugger — or start from the digital identity overview.